Even though the codec source code is available, it is compiled by Cisco and provided to Mozilla. Something in me doesn't 100% trust that Cisco won't use this as an opportunity to put hidden spyware on everyone's computers. The US gov't can force American companies to secretly implement spyware, right?

But with access to the source code, it's easily possible to verify that the binary supplied corresponds to the source.

That's how we know that TrueCrypt has no "binary" backdoors - we just try different combinations of compiling, noting the differences, until we find the one that Cisco used. If we never find the exact combination, the differences between a "known good" compile of the original source and the final binary make the amount of code to blind-check almost negligible in comparison.

It's when people DON'T provide source that you should be suspicious, or when you can't get close to their source providing their binary.

No. In fact it's absurdly difficult to reliably create reproducible builds [debian.org]. Debian has been working on this since at least 2009 (afaict) and has been plowing through issues but you still can't get an identical Kernel [debian.org] as the.deb. Heck, it was 8 weeks just for the Tor browser [debian.org].

It's not just the compilation tools, it's the entire build environment that needs to be homogenized. All kinds of components will insert uname/hostname and paths into the binary, filesystems list the contents of a directory in undefined order, timestamps and permissions are embedded into tarballs and documentation, different locale produces other weirdness.

tl;dr: it's much harder than just installing an identical version of clang and hitting make.

[ And, as an aside, this goes back decades. The infrastructure around builds was never designed with reproducibility as a design goal. We are basically retrofitting this new requirement on decades of legacy code that never even considered that we would want such a thing... ]

Yes and no. Yes, absolutely, its absurdly difficult to create identical binaries, for the reasons you mentioned.

But you can pretty reasonably get close enough to make manual inspection of the differences easy enough. And as you said the differences are usually filepaths, hostnames, timestamps etc so one can identify the difference as benign pretty easily.

That's not good enough for general build reproducibility, but for one off code t

I don't think you understand "trusting trust". If you have the binary, and you are verifying it. that's not the same process at all.

However, no, you can't trust it. It's not because you can't verify it, it's because you can't do it without violating their patents. Also because it's quite difficult to verify large code bases. But if I understand things correctly, even to translate the binary into assembler code would violate their patent.

How do we know that we haven't been served with national security letters??!?!?!?!

Seriously, nothing will make you happy. Sad part is you're whining about this sort of thing, but you still use a computer that boots from proprietary code on a proprietary processor. The BIOS/EFI is the easiest place to insert a back door and is in fact the place that many motherboards emulate physical hardware using system management mode of the CPU.

But hey, you worry about cisco back dooring your video codec used by the br

They're probably the same people who signed off the switches I bought. The same switches that conveniently changed into a hub* after a couple of months. Maybe they expected them to be rebooted constantly.

* Entries weren't being added to the ARP table, probably because of a timestamp overflow.

Not only will it be your choice to accept the binary, but Mozilla also shares those concerns. Hence why they're sandboxing the CDM plugins to limit their access and ability to do anything except what they advertise. We'll have the choice to trust Mozilla's work, disable it, or partake in an effort to confirm that it's as legit as we want, so I honestly fail to see any major issue here.

Don't forget that the GMP only have access to a certain number of firefox functions and runs inside a sandbox [mozilla.org]. That code is treated as insecure and as it have a very defined objective, is easier to sandbox (ie: no filesystem access, no network, etc).

Yes, is not perfect, but it's a good workaround for those software patents and DRM.

Those that still don't trust it, can choose to not install the Cisco OpenH264, its a "plugin" after all

They've already destroyed FF and changed it from a browser with its own identity into Chrome's obsessed former friend who mimics her every move and style and is planning to kill her and assume her identity some day.

Honestly, there's nothing left to call Firefox now. If I want a browser like Chrome, I'll run Chrome. If I want a browser like Firefox, then I have to use an old one or a fork.

Stop punching your users in the face, and give them back the control they had over their browser.

I may have control over this plugin, but I don't have control over my whole browsing experience the way that I did 8 versions ago.

AKA "last month". Mozilla really lost the community's goodwill with that move. There was no compelling rationale to support FF after that. Their insistence on using a single-process model really destabilizes their browser, for example. Every release seems to remove functionality or force you to change the way you use the browser in ways you don't want. It's like they hired Gnome 3/Unity/Windows Metro program managers and asked them how best to fuck up their main product.

Thanks to this change to their support model I relegated FF to rare use when I need to check to confirm if another browser is being flaky or if the site itself is to blame.

"Living 4 years ago" is a claim that's incompatible with you referencing features that aren't officially released yet. Thanks to your flame I actually googled again about it, and like the past 7 years I have checked, there are "plans" to multiprocess Firefox.

However, multiple process Firefox doesn't actually exist in practice yet. Go ahead and enable your multiprocess flags in about:config. Spawn a bunch of tabs and windows and admire the "pretty underlining" on the tab titles. Now check your task manager and count the number of Firefox instances. What's that, you say? There's only one?

Now kill the single Firefox process that's there and see how many FF windows stay open. Zero is the answer.

Fail.

Instead of astroturfing for FF, perhaps you should sit down at your desk at Mozilla and get back to coding your has-been product.

You do know those addon "fixes" are temporary at best and utterly dependant on whatever changes the FF devs feel like doing, right? If the mod gets broken then everyone is welcome to the chrome-copy UI. But that's no problem, right? We all love Chrome, don't we?

Oh, hang on...They are referring to the yet unreleased, possibly future version of Firefox. With no indication whatsoever of that fact in the summary, even though a (stable?) version of Firefox was just recently released, as highlighted on this very same website less than 24 hours ago.

...

Would it have killed anyone to point this out somewhere? You know, for those of us at home who don't keep up with Firefox's versioning madness?

The article mentions Youtube, without giving any specifics. Seems they're shipping the plugin greyed out, disabled etc. and then WebRTC stuff will work (does anyone have either used that?) and then maybe you'll be able to use html5 video in some future version, maybe.

Setting the politics aside, and even whether they intend or not to provide html5 video support, it feels better to do that staged release. I sure would want that the kinks, bugs, networking and security issues are worked out before it is unleas

The article mentions Youtube, without giving any specifics. Seems they're shipping the plugin greyed out, disabled etc. and then WebRTC stuff will work (does anyone have either used that?) and then maybe you'll be able to use html5 video in some future version, maybe.

You don't need H.264 for Youtube. You can watch everything there, and at several other sites using the "Video WithOut Flash" plugin:

OpenH264 only ships with a video decoder, no AAC audio decoder. The hack Cisco made with OpenH264 won't work, as the AAC licensing pool company removed [livejournal.com] caps. For WebRTC, this is no problem, as opus will be used as audio encoding.But MP4 won't work. Perhaps there is potential for a matroska-based h.264+opus format, as when IE and safari (which don't have opus for the audio element yet) implement WebRTC, they need opus encoders and decoders. Then its only a small step to support this mixed format.

Mozilla capitulating on the tag has serious implications for web standards. By including patent-encumbered code in the browser they take the rug from under those in the www foundation that argue for free web standards.
Yes, some websites wanted to use H.264 for video encoding, but Mozilla shouldn't have abetted them.

This has nothing to do with the "tag" itself, which does not specify codecs. Yes, this is still a compromise, but many of us have been compromising for years on various aspects of freedom and openness. Choose your battles carefully and you can win the war: Mozilla has already achieved so much for the open web, and I'm confident the upward slope will continue.

I'm all for open standards and less patents, but H.264 videos and H.264 decoding hardware has been used everywhere for almost a decade now. Even if something free and open-source had been able to replace it, we're on the verge of switching to H.265 which is about twice as good as H.264.

I'm sure the transition to H265 will be at least a decade long (do unreleased AMD and Intel CPUs even support it? I think not). H264 will stay for a long time. Even MP3 has been outdated for like 10+ years but still is massively used.

H.264 videos and H.264 decoding hardware has been used everywhere for almost a decade now.

Make it two decades and we'll talk.

we're on the verge of switching to H.265 which is about twice as good as H.264.

Not so fast though. When I made a similar point [slashdot.org], people mentioned that video providers will continue because they have the choice of decoding H.265 in battery-gulping software or H.264 in battery-sipping hardware.

If the open source world releases something (unencumbered with the GPL - i.e., BSD licensed) with encoding and decoding tools that actually works as well or better than the closed alternative, in a timely manner then I'm sure people will use it.

It will never happen. Get used to it. There is far, far less complex stuff in the free desktop that has been broken for the past 20 years and still not fixed.

It also still doesn't give anyone permission to generate their own h.264 video files (outside of webrtc "video-chatting" inside the browser) legally without paying someone a patent "poll-tax" for permission, so this is still "consume-only".

I'm also under the impression that there are,absurdly, potential patent-license issues with the.mp4 file format that h.264 video is most often stored in.

It also still doesn't give anyone permission to generate their own h.264 video files (outside of webrtc "video-chatting" inside the browser) legally without paying someone a patent "poll-tax" for permission, so this is still "consume-only".I'm also under the impression that there are,absurdly, potential patent-license issues with the.mp4 file format that h.264 video is most often stored in.

Finally, of course unless the usual obstructionist Apple and Microsoft ever implement opus codec support, this also doesn't give you the legal ability to include sound (mp3 or aac, typically, for h.264 videos) with the video. Hope everybody likes silent movies...

If you have a camcorder, the license to create h.264 is present as part of the camcorder. This includes phones and everything else people submit to YouTube, for example.

The only constraint is that if you post content online, you cannot take payment on the content itself - i.e., you can put it online, you can put ads around it, but you cannot force someone to pay to view that content (commercial activity). So those videos on YouTube where you have to pay in order to view them come under a different license.

As for the Mp4 format being patented - it's RAND by Apple ages ago (MP4 is a subset of the QuickTime MOV format). If Apple's asserting any patents on the format, that is. But since people mass-license the h.264 patents through the MPEG-LA, that means any patents Apple has on MP4 are included in the license fee you pay to create or display the content.

Sound is licensed under a separate agreement - MP3 or AAC. Again, your typical MPEG-LA license for h.264 will probably include use licenses for AAC (most typical format) so you can have a soundtrack.

Yes, some websites wanted to use H.264 for video encoding, but Mozilla shouldn't have abetted them.

H.264 is here.

HEVC not far down the road.

The geek sees everything in terms of the "open" web.

But there is more to digital video than video distribution through the web.

Which is why the mainstream commercial codecs dominate here.

Why hardware and software support for these codecs are baked into the smartphone, tablet, PC, graphics card, HDTV, video game console, Blu-ray player. The prosumer HD camcorder, medical and industrial video systems and so on, endlessly.

But there is more to digital video than video distribution through the web.

The "distribution" is orthogonal to the codec being used. Most of the things that make a good "digital video" codec for the "web", also make it exceptionally good for physical media, dedicated hardware, etc., etc.

Which is why the mainstream commercial codecs dominate here.

No, MPEG codecs dominate, because they had NO open competitors, until *just now*.

Code implementing software patents can still be Free/Open Source Software. I mean, isn't that what x264 and VLC is? The un-FOSS-like restriction is one enforced by the government and patent trolls, not the software project.

Just because one country makes it illegal means you should, or even have to, spread it all around the world.

Mozilla isn't even offering people the option to enable h.264 in some alternative fashion (maybe a user could provide it themselves, maybe Firefox searches the OS or hardware for an

Serious question: What's the best way to handle video on the web given a few requirements? First, the content needs to be hosted on the same site as the website. Why? Because sites like Youtube and Vimeo have control over it. They can unilaterally decide to take something down. They will also present related video. For someone trying to market product, you shouldn't make it easy for a prospective customer to find your competitors. Second, the video has to work on both Macs and PCs. Third, the video has to work on Internet Explorer as early as v.8 because too many users don't know any better.

Virtually all of the popular file formats for video are essentially containers that have mpeg4 video inside. Therefore, essentially any player can play mpeg4. The difference is which package files they can open, so just use a plain.mpg file rather than a proprietary package like.wmv.

If you want to embed the video that's fine, but also provide a link to the mpeg file itself. A plain link to a mpg file is like a plain link to an html page - it will work for anyone.

To an extent it depends on what your video is of. I'd assume that users of Internet Explorer 8 at home have far less disposable income than users of Firefox, Chrome, Safari, or new IE. Will they be paying for your video or for the product that your video advertises?

Not exactly a valid assumption. Government users tend to use IE primarily because they have to access other government sites that were built by the lowest bidder who often only work on Windows and only works on IE. Hell, while most of the world uses Acrobat for forms, the feds contracted with IBM to build some IT stuff and they're using this goofy holdover from their acquisition of Lotus.

sites that were built by the lowest bidder who often only work on Windows and only works on IE

All supported Windows desktop operating systems can run IE 9 or later. Besides, whether and why government employees on government equipment and government time would be watching your video still depends on what the video is of. It might be better in a specific case to download the video to watch in a native, non-web application, or to have the IT department authorize installation of a second browser for "general interest" web sites.

Welp, then downgrade or whatever can be an option if-when that happens. For now, I'd prefer using the addon over dropping back that far.Hell, there's always ESR to drag that window out even further if indeed the addon gets abandoned.But given how many people (me included) are annoyed with Australis, I expect the addon will have a reasonable shelf life.

Downgrading is a seriously bad idea - security patches are a must for browsers. ESR can save you for a while, but it's really just a time-delaying tactic. The v24 ESR for Firefox runs out of support just now, meaning even ESR users will get to "enjoy" Australis soon enough. As for the shelf life of the addon, that's really dependant on what the FF devs do; they are free to do changes that borks the mod. If they do something that makes the mod unable to recreate the addon bar, then there it is! No more addon

I know some will mock this, but there is a heck of a lot of Flash content out there, and Firefox really should work with Adobe for an unloadable plugin for getting an up to date Flash player on all platforms. There is really far too much Flash content out there to ignore this need. Make it something that can be disabled, and unloaded as a plugin, sure. If you don't want it, you won't have to have it loaded, so it keeps everyone happy. I think that getting Ogg support into the browser and other open codecs w

>I think that getting Ogg support into the browser and other open codecs will help us transition away from the Flash over time,

Also, Flash Cc, the authoring tool, can now output HTML5 rather than SWF, so all the existing Flash projects can be recompiled to no longer require the plugin. Support isn't 100% yet, but that's the direction Adobe is going. The programming language within Flash has always been a dialect of JavaScript/Emacscript, so it is pretty simple for Adobe to start using the browser's Jav

This split between supported formats on various browsers is ridiculous. Embed it into the next FireFox so that video tags support H.264. Make it something you can disable if you're paranoid. There will be plenty of time to examine it and make sure there isn't a back door (which would be a stupid thing for Cisco to attempt!)

So, this is a software only patent... so it's not legal in Europe (or is it). Some Linux distro might consider integrating this code directly, and compile it instead of letting FF grab a blob from Cisco. Maybe distribute it in a special repository, that users would activate where it legal...
Notice VideoLAN for example does play HEVC (aka H.264), and does not licence anything...

... all software is implemented on hardware. Even the instructions you send to your processor get translated into other software (microcode) which is what actually gets executed.

Hardware acceleration still runs software.

H.264 isn't 'amazing' because of the hardware acceleration built into everything, its extremely convenient. If OGG was built into everything, we'd be using that instead because thats what would allow us to have long battery life and lower heat dissipation.

H.264 isn't software anyway, its a collection of algorithms and protocols. There are multiple software implementations of H.264, of which cisco's is only one.

And, it becomes just more BSD code when the patent expires in... what, a decade?

A decade from now, most major web video streams will be in H.265 (HEVC), and H.266 will be the Next Big Thing(tm). By the time the patents on one codec have run out, bandwidth constraints cause providers of non-free media to switch to a new freshly patented codec. Users end up stuck on a treadmill, from H.261 to MPEG-1 to MPEG-2 to H.263 family (Sorenson Spark, DivX, Xvid) to H.264 (AVC) and so on.

Once a format is deemed "good enough" it can stick around for a long time.

True, if it is impractical to deploy a new codec in the field alongside the existing codecs, a first mover will win. This is why U.S. OTA digital television is stuck on DVD/SVCD era codecs, but some countries whose digital transition happened later use H.264.

Furthermore bandwidth prices have dropped through the floor in recent years

Long haul yes, last mile no. Satellite and cellular ISPs tend to charge on the order of $10 per GB. Even wired home ISPs such as Comcast and Verizon have been practicing "congestion by choice", refusing to peer with L3.

if it is impractical to deploy a new codec in the field alongside the existing codecs, a first mover will win. This is why U.S. OTA digital television is stuck on DVD/SVCD era codecs, but some countries whose digital transition happened later use H.264.

It's not true that H.264 is significantly better than MPEG-2 video, when used at high bit rates as in HDTV. Every video codec developed since MPEG-2, and every audio codec developed since MPEG-1 Layer II, has been focused on low-bit rate video that needs to

Depends on where you live. I get 500mbps* symmetric connection today, for about the same price I used to get a 4mbps/768kbps connection 4 years ago and a 1mbps/128kbps connection 8 years ago.

*They throttle to down to 80-90mbps a few hours per day (during peak), but I get full 500mbps in other times, with no cap whatsoever, the average bandwidth is about 300mbps, which is good enough for me.

By the time the patents on one codec have run out, bandwidth constraints cause providers of non-free media to switch to a new freshly patented codec

That seems silly.

Bandwidth is one of those commodities (like processor cycles) that gets cheaper as time marches on. Bandwidth now is easily a couple of orders of magnitude higher than a decade ago (and moving towards gigabit), and that was several orders of magnitude higher than the decade before that.

True, but if you save all your files in H.264, you are guaranteed an archival data format that can be read by software that won't suddenly stop working.

If you are archiving a video that you produced, what's the big advantage of H.264 over VP8? VP8 is rate-distortion comparable to H.264 baseline, and VP8 is free today. An archival copy needs to be read by software, not necessarily read by specialized hardware in a battery-constrained device.

If you are archiving a video that someone else produced, most streaming video providers have a policy of implementing technical measures to prevent just that, backed by national anticircumvention legislation.

Transcoding isn't fun or fast. I'd rather have my files in such a format that I can actually use instead of some format that I would need to convert before being able to play.

If you archive a 4K video, you need to scale it down anyway before it'll play efficiently on a handheld device, no matter what codecs that device accepts. Besides, if you produced video, you may want to archive the source footage in its original format and a non-destructive edit decision list.

Also, my country does not have software patents, so h.264 is (legally) free to me.

But does it have anticircumvention legislation (DMCA, EUCD, etc.)? Besides, the process of finding a country with acceptable living conditions and visa requirements, finding an employer to sponsor a work visa, and fina

Ever wondered what the "89" in GIF89a stands for? It stands for 1989. Unlike copyrights, patents encumber all implementations of a method, even those resulting from independent reinvention. To make up for this, patents last only 20 years, not 95 like a copyright.

If you don't trust Cisco you better get off the internet. Seriously, if you're worried about this, a binary blob running in your web browser is the least of your problems. There's a very good chance that the network hardware at your ISP is Cisco. If it's not, it will likely be Juniper.